The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts. Based on our analysis, Carko is a minor variant of stacheldraht, a widely used DDoS tool. The source code for Carko is almost identical to the source code for stacheldraht. As a result, there is no additional functionality in this tool. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability described in the following document to compromise hosts and then install Carko.
Compromised hosts are at high risk for being used to attack other Internet sites, having system binaries and configuration files altered, and exposing sensitive information to external parties. Additionally, DDoS tools are capable of diminishing the availability of services through packet flooding attacks and other resource consumption based attacks.
